HIGH 8.0

CVE-2026-41723: VMware Cloud Foundation Operations Stored XSS Vulnerability (CVSS 8.0)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting (XSS) vulnerabilities that allow authenticated users with policy, view, or text-widget creation privileges to inject malicious scripts. These scripts execute in the context of administrative sessions, potentially enabling attackers to perform unauthorized administrative actions. The vulnerability requires an attacker to have legitimate access credentials and user interaction to succeed, but poses significant risk to organizations running affected VMware infrastructure management platforms.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-79
Affected products
6 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41723 comprises multiple stored XSS flaws (CWE-79) in VMware Cloud Foundation Operations. An authenticated attacker with permissions to create policies, views, or text-widgets can inject arbitrary JavaScript that persists in the application database. When administrators view the attacker-controlled content, the malicious script executes with the victim's privileges, potentially allowing manipulation of cloud foundation configurations, user accounts, or operational settings. The vulnerability has a CVSS 3.1 score of 8.0 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, requirement for low-level privileges, reliance on user interaction, and potential for high impact across confidentiality, integrity, and availability.

Business impact

Exploitation could allow insiders or compromised accounts to perform administrative actions without direct credential compromise—a particularly dangerous escalation vector. Attackers could modify monitoring policies, alter operational views, inject backdoors into infrastructure templates, or extract sensitive configuration data. For organizations relying on VMware Cloud Foundation for multi-tenant or hybrid cloud operations, this represents a lateral movement and privilege escalation risk that could undermine the security posture of the entire virtualization estate. The need for user interaction (typically clicking a malicious link) makes social engineering or account compromise scenarios plausible attack chains.

Affected systems

The vulnerability affects multiple VMware platforms: VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware vSphere environments that include or integrate Cloud Foundation Operations components. Organizations operating multi-cloud orchestration, telco cloud deployments, or integrated virtualization stacks with these products should assess exposure. Verify your specific product versions and configurations against the VMware security advisory to determine if your deployment contains the vulnerable code paths.

Exploitability

Exploitation requires an authenticated attacker with privileges to create policies, views, or text-widgets—a moderate barrier that limits the threat to privileged insiders, contractors, or accounts compromised through phishing or credential theft. The attack also requires user interaction (typically an administrator clicking a crafted link or viewing injected content), which reduces opportunistic exploitation but remains realistic in targeted scenarios. The simplicity of XSS injection and the high privileges granted to operators in cloud management platforms make this a practical concern once an attacker gains initial access. No public exploit code or KEV listing has been reported as of the vulnerability's publication.

Remediation

Apply security updates from VMware addressing these stored XSS flaws across affected Cloud Foundation Operations components. VMware typically releases patches through their security advisory channels; consult the official VMware security page for specific version numbers and patch availability for your installed products. Interim mitigations include restricting policy, view, and text-widget creation privileges to trusted administrators, enforcing strong authentication and session management, and monitoring administrative UI access logs for suspicious policy modifications.

Patch guidance

Consult VMware's official security advisory for CVE-2026-41723 to identify patched versions for Aria Operations, Cloud Foundation, Telco Cloud Platform, and vSphere. Patches should be validated in a test environment before production deployment, particularly given the administrative scope of affected systems. Plan patching in coordination with change management and operational schedules to minimize disruption to cloud infrastructure. Enable VMware's update channels to receive notifications of patch releases.

Detection guidance

Monitor application logs and Web Application Firewall (WAF) alerts for unusual script injection patterns in policy, view, and text-widget creation APIs. Look for base64-encoded payloads, event handler attributes (onclick, onerror, onload), or script tags in request parameters. Audit the policies and views database or configuration files for unexpected JavaScript content that was not authored by known administrators. Correlation of suspicious policy modifications with user sessions and login events can reveal attacker behavior. If available, enable verbose logging in Cloud Foundation Operations UI components to capture all content creation events.

Why prioritize this

This vulnerability merits prompt patching due to its HIGH severity, the potential for lateral movement and privilege escalation, and the administrative context in which it operates. Although it requires authentication and user interaction, both barriers are surmountable in realistic attack chains where insiders are compromised or social engineering is effective. The breadth of affected VMware products—particularly in enterprise and telco deployments—increases the likelihood of exposure across large organizations.

Risk score, explained

The CVSS 3.1 score of 8.0 (HIGH) reflects the combination of network-level exploitability, low attack complexity, and potential for high impact on confidentiality, integrity, and availability. The low privilege requirement (authenticated users) and reliance on user interaction prevent a CRITICAL rating, but the ability to execute arbitrary actions in the administrative plane warrants urgent remediation. Organizations with multi-tenant or externally-facing Cloud Foundation deployments should treat this as a priority.

Frequently asked questions

Do I need administrative credentials to exploit this vulnerability?

No. An attacker only needs privileges to create policies, views, or text-widgets—a role commonly delegated to operational staff, architects, or automation tools. This lower privilege threshold increases the potential pool of exploitable accounts, especially if those roles can be compromised through phishing or lateral movement.

What happens if a malicious script is injected into a policy?

When an administrator views or manages the malicious policy, the injected script executes in their browser with their administrative session privileges. The attacker can then perform unauthorized actions such as creating user accounts, modifying configurations, extracting secrets, or altering monitoring rules—all appearing to originate from the compromised administrator's account.

Are there any workarounds if I cannot patch immediately?

While patching is the definitive fix, interim controls include restricting policy and view creation to a small, trusted group of administrators; enforcing multi-factor authentication for administrative access; and deploying a WAF or application-level input validation to strip JavaScript from policy creation requests. However, these are compensating controls, not substitutes for patching.

Is this vulnerability being actively exploited in the wild?

As of the vulnerability's publication date (June 2026), there is no public indication of active exploitation or KEV listing. However, the low barrier to exploitation and high value of cloud infrastructure targets mean organizations should not assume that exploitation has not occurred. Conduct forensic review of recent policy and view modifications, particularly those created by unusual accounts or timestamps.

This analysis is based on publicly available information as of June 2026 and does not constitute a formal vulnerability assessment of your environment. Organizations must verify affected product versions against the official VMware security advisory. Patch version numbers and availability details should be confirmed directly with VMware before deployment. This guidance is for informational purposes and does not replace engagement with your internal security team, vendor support, or a third-party assessment firm. SEC.co does not assume liability for decisions made based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).